Diversity and Defense in Depth in Digital Instrumentation and Controls

Each safety system in an NRC-licensed nuclear plant or other facility must operate regardless of failures from within
or outside the safety system. The NRC regulations establishing this requirement are found in Title 10, Part 50, “Domestic Licensing
of Production and Utilization Facilities,” of the Code of Federal Regulations
(10 CFR Part 50).

General Design Criteria for Diversity and Defense in Depth

In particular, General Design Criterion (GDC) 21, “Protection
System Reliability and Testability,” in 10 CFR Part 50 requires in part that “…(1)
no single failure results in the loss of the protection system….” In
addition, GDC 22, “Protection System Independence,” requires that

[t]he
protection system shall be designed to assure that the effects of natural phenomena,
and of normal operating, maintenance, testing, and postulated accident conditions
on redundant channels do not result in loss of the protection function, or
shall be demonstrated to be acceptable on some other defined basis. Design
techniques, such as functional diversity or diversity in component design and
principles of operation, shall be used to the extent practical to prevent loss
of the protection function.

These GDCs mandate diverse design features to minimize the possibility of
a common-cause failure (CCF) that could result in the loss of a protection
function. Nuclear power plant safety system designs rely on three design principles
to compensate for failures that could degrade safety system reliability, specifically

functional defense in depth,

functional diversity, and

system diversity.

Ensuring Against Common-Cause Failure

Industry experience with digital I&C systems has shown that reliance upon
quality assurance processes alone has not been adequately effective at preventing
CCFs even in high-integrity digital systems. Unanticipated
CCFs are more likely in digital systems than in analog systems. Therefore, it is also more important to ensure that digital technology is applied in a manner that addresses functional defense-in-depth, functional diversity, and system diversity
features.
Additionally, it is necessary to confirm that CCF vulnerabilities are not introduced
when a system is modified.